# HG changeset patch # User mullan # Date 1368217731 14400 # Node ID 1112bf0189775880585a09e8631ce2e696b05064 # Parent ad785fb5f898bf17a5ff7c27f72c9858ca290bac 8010714: XML DSig API allows a RetrievalMethod to reference another RetrievalMethod Reviewed-by: xuelei, hawtin diff -r ad785fb5f898 -r 1112bf018977 src/share/classes/com/sun/org/apache/xml/internal/security/keys/KeyInfo.java --- a/src/share/classes/com/sun/org/apache/xml/internal/security/keys/KeyInfo.java Wed Mar 20 13:39:56 2013 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/keys/KeyInfo.java Fri May 10 16:28:51 2013 -0400 @@ -54,6 +54,7 @@ import com.sun.org.apache.xml.internal.security.utils.IdResolver; import com.sun.org.apache.xml.internal.security.utils.SignatureElementProxy; import com.sun.org.apache.xml.internal.security.utils.XMLUtils; +import org.w3c.dom.Attr; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; @@ -128,8 +129,11 @@ */ public KeyInfo(Element element, String BaseURI) throws XMLSecurityException { super(element, BaseURI); - // _storageResolvers.add(null); + Attr attr = element.getAttributeNodeNS(null, "Id"); + if (attr != null) { + element.setIdAttributeNode(attr, true); + } } /** @@ -139,9 +143,8 @@ */ public void setId(String Id) { - if ((Id != null)) { - this._constructionElement.setAttributeNS(null, Constants._ATT_ID, Id); - IdResolver.registerElementById(this._constructionElement, Id); + if (Id != null) { + setLocalIdAttribute(Constants._ATT_ID, Id); } } @@ -1008,7 +1011,7 @@ /** * Stores the individual (per-KeyInfo) {@link KeyResolver}s */ - List _internalKeyResolvers = null; + List _internalKeyResolvers = new ArrayList(); /** * This method is used to add a custom {@link KeyResolverSpi} to a KeyInfo diff -r ad785fb5f898 -r 1112bf018977 src/share/classes/com/sun/org/apache/xml/internal/security/signature/Manifest.java --- a/src/share/classes/com/sun/org/apache/xml/internal/security/signature/Manifest.java Wed Mar 20 13:39:56 2013 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/signature/Manifest.java Fri May 10 16:28:51 2013 -0400 @@ -42,6 +42,7 @@ import com.sun.org.apache.xml.internal.security.utils.XMLUtils; import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver; import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverSpi; +import org.w3c.dom.Attr; import org.w3c.dom.DOMException; import org.w3c.dom.Document; import org.w3c.dom.Element; @@ -100,6 +101,11 @@ super(element, BaseURI); + Attr attr = element.getAttributeNodeNS(null, "Id"); + if (attr != null) { + element.setIdAttributeNode(attr, true); + } + // check out Reference children this._referencesEl = XMLUtils.selectDsNodes(this._constructionElement.getFirstChild(), Constants._TAG_REFERENCE); @@ -120,6 +126,11 @@ this._references = new ArrayList(le); for (int i = 0; i < le; i++) { + Element refElem = this._referencesEl[i]; + Attr refAttr = refElem.getAttributeNodeNS(null, "Id"); + if (refAttr != null) { + refElem.setIdAttributeNode(refAttr, true); + } this._references.add(null); } } @@ -220,8 +231,7 @@ public void setId(String Id) { if (Id != null) { - this._constructionElement.setAttributeNS(null, Constants._ATT_ID, Id); - IdResolver.registerElementById(this._constructionElement, Id); + setLocalIdAttribute(Constants._ATT_ID, Id); } } diff -r ad785fb5f898 -r 1112bf018977 src/share/classes/com/sun/org/apache/xml/internal/security/signature/ObjectContainer.java --- a/src/share/classes/com/sun/org/apache/xml/internal/security/signature/ObjectContainer.java Wed Mar 20 13:39:56 2013 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/signature/ObjectContainer.java Fri May 10 16:28:51 2013 -0400 @@ -68,9 +68,8 @@ */ public void setId(String Id) { - if ((Id != null)) { - this._constructionElement.setAttributeNS(null, Constants._ATT_ID, Id); - IdResolver.registerElementById(this._constructionElement, Id); + if (Id != null) { + setLocalIdAttribute(Constants._ATT_ID, Id); } } diff -r ad785fb5f898 -r 1112bf018977 src/share/classes/com/sun/org/apache/xml/internal/security/signature/Reference.java --- a/src/share/classes/com/sun/org/apache/xml/internal/security/signature/Reference.java Wed Mar 20 13:39:56 2013 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/signature/Reference.java Fri May 10 16:28:51 2013 -0400 @@ -284,8 +284,7 @@ public void setId(String Id) { if ( Id != null ) { - this._constructionElement.setAttributeNS(null, Constants._ATT_ID, Id); - IdResolver.registerElementById(this._constructionElement, Id); + setLocalIdAttribute(Constants._ATT_ID, Id); } } diff -r ad785fb5f898 -r 1112bf018977 src/share/classes/com/sun/org/apache/xml/internal/security/signature/SignatureProperties.java --- a/src/share/classes/com/sun/org/apache/xml/internal/security/signature/SignatureProperties.java Wed Mar 20 13:39:56 2013 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/signature/SignatureProperties.java Fri May 10 16:28:51 2013 -0400 @@ -25,6 +25,7 @@ import com.sun.org.apache.xml.internal.security.utils.IdResolver; import com.sun.org.apache.xml.internal.security.utils.SignatureElementProxy; import com.sun.org.apache.xml.internal.security.utils.XMLUtils; +import org.w3c.dom.Attr; import org.w3c.dom.Document; import org.w3c.dom.Element; @@ -61,6 +62,21 @@ public SignatureProperties(Element element, String BaseURI) throws XMLSecurityException { super(element, BaseURI); + + Attr attr = element.getAttributeNodeNS(null, "Id"); + if (attr != null) { + element.setIdAttributeNode(attr, true); + } + + int length = getLength(); + for (int i = 0; i < length; i++) { + Element propertyElem = + XMLUtils.selectDsNode(getElement(), Constants._TAG_SIGNATUREPROPERTY, i); + Attr propertyAttr = propertyElem.getAttributeNodeNS(null, "Id"); + if (propertyAttr != null) { + propertyElem.setIdAttributeNode(propertyAttr, true); + } + } } /** @@ -109,9 +125,8 @@ */ public void setId(String Id) { - if ((Id != null)) { - this._constructionElement.setAttributeNS(null, Constants._ATT_ID, Id); - IdResolver.registerElementById(this._constructionElement, Id); + if (Id != null) { + setLocalIdAttribute(Constants._ATT_ID, Id); } } diff -r ad785fb5f898 -r 1112bf018977 src/share/classes/com/sun/org/apache/xml/internal/security/signature/SignatureProperty.java --- a/src/share/classes/com/sun/org/apache/xml/internal/security/signature/SignatureProperty.java Wed Mar 20 13:39:56 2013 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/signature/SignatureProperty.java Fri May 10 16:28:51 2013 -0400 @@ -80,9 +80,8 @@ */ public void setId(String Id) { - if ((Id != null)) { - this._constructionElement.setAttributeNS(null, Constants._ATT_ID, Id); - IdResolver.registerElementById(this._constructionElement, Id); + if (Id != null) { + setLocalIdAttribute(Constants._ATT_ID, Id); } } diff -r ad785fb5f898 -r 1112bf018977 src/share/classes/com/sun/org/apache/xml/internal/security/signature/XMLSignature.java --- a/src/share/classes/com/sun/org/apache/xml/internal/security/signature/XMLSignature.java Wed Mar 20 13:39:56 2013 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/signature/XMLSignature.java Fri May 10 16:28:51 2013 -0400 @@ -49,9 +49,11 @@ import com.sun.org.apache.xml.internal.security.utils.XMLUtils; import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver; import com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverSpi; +import org.w3c.dom.Attr; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; +import org.w3c.dom.NodeList; import org.w3c.dom.Text; @@ -306,6 +308,10 @@ throw new XMLSignatureException("xml.WrongContent", exArgs); } + Attr signatureValueAttr = signatureValueElement.getAttributeNodeNS(null, "Id"); + if (signatureValueAttr != null) { + signatureValueElement.setIdAttributeNode(signatureValueAttr, true); + } // Element keyInfoElem = XMLUtils.getNextElement(signatureValueElement.getNextSibling());//XMLUtils.selectDsNode(this._constructionElement.getFirstChild(), @@ -316,6 +322,34 @@ keyInfoElem.getLocalName().equals(Constants._TAG_KEYINFO)) ) { this._keyInfo = new KeyInfo(keyInfoElem, BaseURI); } + + // + Element objectElem = + XMLUtils.getNextElement(signatureValueElement.getNextSibling()); + while (objectElem != null) { + Attr objectAttr = objectElem.getAttributeNodeNS(null, "Id"); + if (objectAttr != null) { + objectElem.setIdAttributeNode(objectAttr, true); + } + + NodeList nodes = objectElem.getChildNodes(); + int length = nodes.getLength(); + // Register Ids of the Object child elements + for (int i = 0; i < length; i++) { + Node child = nodes.item(i); + if (child.getNodeType() == Node.ELEMENT_NODE) { + Element childElem = (Element)child; + String tag = childElem.getLocalName(); + if (tag.equals("Manifest")) { + new Manifest(childElem, BaseURI); + } else if (tag.equals("SignatureProperties")) { + new SignatureProperties(childElem, BaseURI); + } + } + } + + objectElem = XMLUtils.getNextElement(objectElem.getNextSibling()); + } } /** @@ -325,9 +359,8 @@ */ public void setId(String Id) { - if ( (Id != null)) { - this._constructionElement.setAttributeNS(null, Constants._ATT_ID, Id); - IdResolver.registerElementById(this._constructionElement, Id); + if (Id != null) { + setLocalIdAttribute(Constants._ATT_ID, Id); } } diff -r ad785fb5f898 -r 1112bf018977 src/share/classes/com/sun/org/apache/xml/internal/security/signature/XMLSignatureInput.java --- a/src/share/classes/com/sun/org/apache/xml/internal/security/signature/XMLSignatureInput.java Wed Mar 20 13:39:56 2013 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/signature/XMLSignatureInput.java Fri May 10 16:28:51 2013 -0400 @@ -27,7 +27,7 @@ import java.io.OutputStream; import java.io.UnsupportedEncodingException; import java.util.ArrayList; -import java.util.HashSet; +import java.util.LinkedHashSet; import java.util.List; import java.util.Set; @@ -243,13 +243,13 @@ if (circumvent) { XMLUtils.circumventBug2650(XMLUtils.getOwnerDocument(_subNode)); } - this._inputNodeSet = new HashSet(); + this._inputNodeSet = new LinkedHashSet(); XMLUtils.getSet(_subNode,this._inputNodeSet, excludeNode, this.excludeComments); return this._inputNodeSet; } else if (this.isOctetStream()) { convertToNodes(); - HashSet result=new HashSet(); + LinkedHashSet result = new LinkedHashSet(); XMLUtils.getSet(_subNode, result,null,false); //this._inputNodeSet=result; return result; diff -r ad785fb5f898 -r 1112bf018977 src/share/classes/com/sun/org/apache/xml/internal/security/utils/ElementProxy.java --- a/src/share/classes/com/sun/org/apache/xml/internal/security/utils/ElementProxy.java Wed Mar 20 13:39:56 2013 -0700 +++ b/src/share/classes/com/sun/org/apache/xml/internal/security/utils/ElementProxy.java Fri May 10 16:28:51 2013 -0400 @@ -515,4 +515,16 @@ return prefixMappings.get(namespace); } + protected void setLocalIdAttribute(String attrName, String value) { + + if (value != null) { + Attr attr = getDocument().createAttributeNS(null, attrName); + attr.setValue(value); + getElement().setAttributeNodeNS(attr); + getElement().setIdAttributeNode(attr, true); + } + else { + getElement().removeAttributeNS(null, attrName); + } + } } diff -r ad785fb5f898 -r 1112bf018977 src/share/classes/org/jcp/xml/dsig/internal/dom/ApacheNodeSetData.java --- a/src/share/classes/org/jcp/xml/dsig/internal/dom/ApacheNodeSetData.java Wed Mar 20 13:39:56 2013 -0700 +++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/ApacheNodeSetData.java Fri May 10 16:28:51 2013 -0400 @@ -48,7 +48,7 @@ public Iterator iterator() { // If nodefilters are set, must execute them first to create node-set - if (xi.getNodeFilters() != null) { + if (xi.getNodeFilters() != null && !xi.getNodeFilters().isEmpty()) { return Collections.unmodifiableSet (getNodeSet(xi.getNodeFilters())).iterator(); } diff -r ad785fb5f898 -r 1112bf018977 src/share/classes/org/jcp/xml/dsig/internal/dom/DOMRetrievalMethod.java --- a/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMRetrievalMethod.java Wed Mar 20 13:39:56 2013 -0700 +++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMRetrievalMethod.java Fri May 10 16:28:51 2013 -0400 @@ -230,6 +230,21 @@ } catch (Exception e) { throw new URIReferenceException(e); } + + // guard against RetrievalMethod loops + if ((data instanceof NodeSetData) && Utils.secureValidation(context)) { + NodeSetData nsd = (NodeSetData)data; + Iterator i = nsd.iterator(); + if (i.hasNext()) { + Node root = (Node)i.next(); + if ("RetrievalMethod".equals(root.getLocalName())) { + throw new URIReferenceException( + "It is forbidden to have one RetrievalMethod point " + + "to another when secure validation is enabled"); + } + } + } + return data; } diff -r ad785fb5f898 -r 1112bf018977 src/share/classes/org/jcp/xml/dsig/internal/dom/Utils.java --- a/src/share/classes/org/jcp/xml/dsig/internal/dom/Utils.java Wed Mar 20 13:39:56 2013 -0700 +++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/Utils.java Fri May 10 16:28:51 2013 -0400 @@ -107,6 +107,9 @@ } static boolean secureValidation(XMLCryptoContext xc) { + if (xc == null) { + return false; + } return getBoolean(xc, "org.jcp.xml.dsig.secureValidation"); } diff -r ad785fb5f898 -r 1112bf018977 test/com/sun/org/apache/xml/internal/security/TruncateHMAC.java --- a/test/com/sun/org/apache/xml/internal/security/TruncateHMAC.java Wed Mar 20 13:39:56 2013 -0700 +++ b/test/com/sun/org/apache/xml/internal/security/TruncateHMAC.java Fri May 10 16:28:51 2013 -0400 @@ -97,6 +97,7 @@ System.out.println("PASSED"); } else { System.out.println("FAILED"); + atLeastOneFailed = true; } } }